H3C S3100 8C SI Operation Manual page 285

Operation Manual – MSTP
H3C S3100 Series Ethernet Switches
bridge to be elected and network topology jitter to occur. In this case, flows that should
travel along high-speed links may be led to low-speed links, and network congestion
may occur.
You can avoid this problem by utilizing the root guard function. Ports with this function
enabled can only be kept as designated ports in all spanning tree instances. When a
port of this type receives configuration BPDUs with higher priorities, it turns to the
discarding state (rather than become a non-designated port) and stops forwarding
packets (as if it is disconnected from the link). It resumes the normal state if it does not
receive any configuration BPDUs with higher priorities for a specified period.
III. Loop guard
A switch maintains the states of the root port and other blocked ports by receiving and
processing BPDUs from the upstream switch. These BPDUs may get lost because of
network congestions or unidirectional link failures. If a switch does not receive BPDUs
from the upstream switch for certain period, the switch selects a new root port; the
original root port becomes a designated port; and the blocked ports turns to the
forwarding state. This may cause loops in the network.
The loop guard function suppresses loops. With this function enabled, if link
congestions or unidirectional link failures occur, both the root port and the blocked ports
become designated ports and turn to the discarding state. In this case, they stop
forwarding packets, and thereby loops can be prevented.
Caution:
With the loop guard function enabled, the root guard function and the edge port
configuration are mutually exclusive.
IV. TC-BPDU attack guard
Normally, a switch removes its MAC address table and ARP entries upon receiving
TC-BPDUs. If a malicious user sends a large amount of TC-BPDUs to a switch in a
short period, the switch may be busy in removing the MAC address table and ARP
entries, which may affect spanning tree calculation, occupy large amount of bandwidth
and increase switch CPU utilization.
With the TC-BPDU attack guard function enabled, a switch performs a removing
operation upon receiving a TC-BPDU and triggers a timer (set to 10 seconds by default)
at the same time. Before the timer expires, the switch only performs the removing
operation for limited times (up to six times by default) regardless of the number of the
TC-BPDUs it receives. Such a mechanism prevents a switch from being busy in
removing the MAC address table and ARP entries.
1-44
Chapter 1 MSTP Configuration